US20210105294A1 - Systems and methods for performing cybersecurity risk assessments - Google Patents
Systems and methods for performing cybersecurity risk assessments Download PDFInfo
- Publication number
- US20210105294A1 US20210105294A1 US16/596,298 US201916596298A US2021105294A1 US 20210105294 A1 US20210105294 A1 US 20210105294A1 US 201916596298 A US201916596298 A US 201916596298A US 2021105294 A1 US2021105294 A1 US 2021105294A1
- Authority
- US
- United States
- Prior art keywords
- actions
- exploitability
- attack
- subject system
- vulnerabilities
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Definitions
- the field of the present disclosure relates generally to assessing potential cybersecurity threats and, more specifically, to automatically assessing potential cybersecurity threats to a subject system and determining potential countermeasures.
- risk assessments generally consider the likelihood and consequence of a hazard event to be the primary variables in calculating risk.
- Cybersecurity risk assessments often make use of a semi-quantitative assessment of likelihood and consequence to derive various metrics of risk in the absence of true probabilities for likelihood or true measures of consequence.
- Most assessment methods define intentionally specific criteria that are used to segregate hazard events into various bins of likelihood and consequence. These methods convey an unfounded sense of certainty regarding the likelihood or consequence of hazard events and may artificially distance hazard events that in fact possess similar risk characteristics.
- the time to perform precise cybersecurity assessments is significant and requires significant amount of subject matter expertise, thereby greatly increasing their corresponding cost.
- cybersecurity assessments are forced to expend significant resources to decrease uncertainty for all assessment inputs instead of the select few inputs most significantly affecting assessment results.
- traditional cybersecurity risk assessment approaches often struggle to naturally represent assessment aspects related to subject systems that are not in fact part of the system (e.g. the physical security of the subject system). This limits the utility of these methods for assessing the overall security posture of a system.
- a cybersecurity analyzing system for assessing potential cybersecurity threats to a subject system.
- the system includes a computing device includes at least one processor in communication with at least one memory device.
- the at least one processor is programmed to: receive a subject system to analyze, determine a potential hazard event associated with the subject system, generate an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions, determine an exploitability score for each of the plurality of actions, determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score, aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system, and generate a response to the one or more vulnerabilities of the subject system.
- a method for assessing potential cybersecurity threats to a subject system is provided.
- the method is implemented on a computing device including at least one processor in communication with at least one memory device.
- the method includes receiving a subject system to analyze, determining a potential hazard event associated with the subject system, generating an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions, determining an exploitability score for each of the plurality of actions, determining an uncertainty level for each of the plurality of actions based on the corresponding exploitability score, aggregating the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system, and generating a response to the one or more vulnerabilities of the subject system.
- a non-transitory computer-readable media having computer-executable instructions embodied thereon When executed by at least one processor coupled to a memory device, the computer-executable instructions cause the processor to receive a subject system to analyze.
- the subject system to analyze is at least one of a computer and a computer network.
- the computer-executable instructions also cause the processor to determine a potential hazard event associated with the subject system and generate an attack graph associated with the potential hazard event.
- the attack graph includes a plurality of actions.
- the computer-executable instructions further cause the processor to determine an exploitability score for each of the plurality of actions.
- the exploitability score represents an adversary ability level to perform the corresponding actions.
- the computer-executable instructions cause the processor to determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score.
- the uncertainty level represents a confidence level associated with the determination of the exploitability score.
- the computer-executable instructions cause the processor to aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system.
- the computer-executable instructions cause the processor to determine one or more countermeasures based on the one or more vulnerabilities, apply the one or more countermeasures to the attack graph, aggregate the plurality of actions based on the one or more countermeasures, and generate a response to the one or more vulnerabilities of the subject system.
- FIG. 1 illustrates a block diagram of a process to assess potential cybersecurity threats to a subject system and determine potential countermeasures, in accordance with one embodiment of the present disclosure
- FIG. 2 illustrates an exemplary attack path diagram in accordance with one embodiment of the present disclosure.
- FIG. 3 illustrates another exemplary attack path diagram with a countermeasure in accordance with one embodiment of the present disclosure.
- FIG. 4 is a simplified block diagram of an example system for assessing potential cybersecurity threats to a subject system, such as through the process shown in FIG. 1 .
- FIG. 5 illustrates an example configuration of a client computer device shown in FIG. 4 , in accordance with one embodiment of the present disclosure.
- FIG. 6 illustrates an example configuration of the server system shown in FIG. 4 , in accordance with one embodiment of the present disclosure.
- FIG. 7 is a flowchart illustrating an example of a process of assessing potential cybersecurity threats to a subject system and determining potential countermeasures using the system shown in FIG. 4 , in accordance with one embodiment of the disclosure.
- CSA cybersecurity analyzing
- Described herein are computer systems such as the CSA computer devices and related computer systems. As described herein, all such computer systems include a processor and a memory. However, any processor in a computer device referred to herein may also refer to one or more processors wherein the processor may be in one computing device or a plurality of computing devices acting in parallel. Additionally, any memory in a computer device referred to herein may also refer to one or more memories wherein the memories may be in one computing device or a plurality of computing devices acting in parallel.
- cybersecurity threat includes an unauthorized attempt to gain access to a subject system.
- Cybersecurity threats also known as cyber-attacks or cyber-threats, attempt to breach computer systems by taking advantage of vulnerabilities in the computer systems.
- Some cybersecurity threats include attempts to damage or disrupt a subject system. These cybersecurity threats may include, but are not limited to, active intrusions, spyware, malware, viruses, and worms.
- Cybersecurity threats may take many paths (also known as attack paths) to breach a system. These paths may include operating system attacks, misconfiguration attacks, application level attacks, and shrink wrap code attacks. Cybersecurity threats may be introduced by individuals or systems directly accessing a computing device, remotely via a communications network or connected system, or through an associated supply chain.
- a processor may include any programmable system including systems using micro-controllers, reduced instruction set circuits (RISC), application-specific integrated circuits (ASICs), logic circuits, and any other circuit or processor capable of executing the functions described herein.
- RISC reduced instruction set circuits
- ASICs application-specific integrated circuits
- logic circuits and any other circuit or processor capable of executing the functions described herein.
- database may refer to either a body of data, a relational database management system (RDBMS), or to both.
- RDBMS relational database management system
- a database may include any collection of data including hierarchical databases, relational databases, flat file databases, object-relational databases, object oriented databases, and any other structured collection of records or data that is stored in a computer system.
- RDBMS' include, but are not limited to including, Oracle® Database, MySQL, IBM® DB2, Microsoft® SQL Server, Sybase®, and PostgreSQL.
- any database may be used that enables the systems and methods described herein.
- a computer program is provided, and the program is embodied on a computer-readable medium.
- the system is executed on a single computer system, without requiring a connection to a server computer.
- the system is being run in a Windows® environment (Windows is a registered trademark of Microsoft Corporation, Redmond, Wash.).
- the system is run on a mainframe environment and a UNIX® server environment (UNIX is a registered trademark of X/Open Company Limited located in Reading, Berkshire, United Kingdom).
- the application is flexible and designed to run in various different environments without compromising any major functionality.
- the system includes multiple components distributed among a plurality of computing devices. One or more components may be in the form of computer-executable instructions embodied in a computer-readable medium.
- the terms “software” and “firmware” are interchangeable, and include any computer program stored in memory for execution by a processor, including RAM memory, ROM memory, EPROM memory, EEPROM memory, and non-volatile RAM (NVRAM) memory.
- RAM random access memory
- ROM memory read-only memory
- EPROM memory erasable programmable read-only memory
- EEPROM memory electrically erasable programmable read-only memory
- NVRAM non-volatile RAM
- the term “real-time” refers to at least one of the time of occurrence of the associated events, the time of measurement and collection of predetermined data, the time to process the data, and the time of a system response to the events and the environment. In the embodiments described herein, these activities and events occur substantially instantaneously.
- FIG. 1 illustrates a block diagram of a process 100 to assess potential cybersecurity threats to a subject system and determine potential countermeasures, in accordance with one embodiment of the present disclosure.
- process 100 is performed by one or more computer devices, such as cybersecurity analyzing (CSA) server 412 shown in FIG. 4 .
- CSA cybersecurity analyzing
- the CSA server 412 identifies 105 cyber hazard events.
- cyber hazard events refer to an event that is caused by an adversary, which has the potential to cause damage, such as the exfiltration of a password, infection of a specific device, or loss of access to or data from a specific device or network.
- Cyber hazard events may include, but are not limited to, cybersecurity threats.
- Cyber hazard events may include both anomalous cyber events (e.g., events resulting from user error or random system failures) and adversarial events (e.g., events initiated by an adversary intending to cause negative effects).
- hazard events are the results of a series of actions, including adversarial actions.
- the cyber hazard event is provided to the CSA server 412 by a subject matter expert or other user.
- the CSA server 412 receives a list of cyber hazard events to analyze.
- the CSA server 412 receives a subject system and identifies 105 which cyber hazard events to analyze with that subject system.
- a subject system is a secure system. This may include a computer device or a computer network, but it also includes the individuals associated with the system, the location of the system, and any other physical objects or software that provide access to the system.
- a subject system may include a computer network.
- the subject system would also include the users with access to the computer network, access to where the hardware of the computer network is stored, access to where the users work, the supply chain that provides the hardware of the subject system, and any other hardware or software that an adversary may use to access the subject system.
- the subject system may also be supply chains, server rooms or closets, paper filing systems, and/or any other system than needs to be secure from adversarial actions.
- the CSA server 412 creates 110 attack graphs based on the subject system to be analyzed and the cyber hazard events. By considering a sequence of adversarial actions as nodes along a simple path, an attack path is created. An attack path is a “recipe” for an adversary to affect a cyber hazard event. Any given hazard event may have several associated attack paths.
- the CSA server 412 organizes these attack paths by combining paths with common nodes to create 110 an attack graph structure for each hazard event. In the exemplary embodiment, the resulting attack graphs are directed, acyclic graphs, which have defined entry points (leaf nodes) and a terminal point (root node corresponding with a hazard event).
- the sequences of adversarial events leading to the occurrence of the hazard event are found by enumerating each path originating at each leaf node and terminating at the root node—the hazard event.
- the CSA server 412 attempts to include all reasonable paths to prevent underestimation.
- the CSA server 412 excludes attack paths that are not possible using existing technology or requires improbable events to occur.
- the CSA server 412 accesses a database of potential adversarial actions and historical attack paths to create 110 the attack graphs. In this embodiment, the CSA server 412 receives information about the subject system to be analyzed and automatically creates 110 the attack paths and the attack graphs for that subject system.
- the term likelihood in this context refers to the probability that a hazard event occurs.
- the likelihood of a cybersecurity hazard event is a function of the following (not necessarily independent) factors: 1) Adversary intent: An adversary must choose which targets to exploit as time and resources generally prevent the exploitation of all targets; 2) Adversary ability: A given adversary generally cannot exploit any given target, where a top-tier nation state actor is typically assumed to pose the preeminent cybersecurity threat; and 3) System security/access: Systems may be isolated and protected by numerous countermeasures, and while some systems are trivial to penetrate, others are nearly impossible. Although likelihood can be thought of as a function of three factors, this assessment only considers the properties of the system. Properties of the adversary are difficult to ascertain and are often known only after an adversary has exploited a system. Therefore, only the properties of the system are generally considered.
- the term “exploitability” is used. This exploitability level is intended to express a threshold adversarial ability required to elicit a hazard event. A system that is more exploitable is assumed to be more easily attacked by a less capable adversary. Conversely, systems that are less exploitable can generally only be successfully attacked by a more capable adversary. In this interpretation, exploitability in the presence of some assumed adversary capabilities can be seen as the foundation of evaluating how secure a system is against attacks in general, irrespective of adversarial intent.
- the CSA server 412 determines 115 exploitability and uncertainty values for each node of each attack graph.
- the system uses a 1 to 5 integer scale to rate exploitability. Exploitability corresponds to the required adversary abilities to perform an action. Each node in the attack graph corresponds with a step in an attack. Therefore, the CSA server 412 rates each node with an exploitability score.
- the exploitability score is an assessment of the required adversarial ability to perform the action and continue down a path in the attack graph toward a cyber hazard event.
- the following table describes the correspondence between each exploitability level of and the required adversarial ability class.
- exploitability is considered a threshold of possible exploitability not a threshold of certain exploitability.
- the CSA server 412 assigns an uncertainty level to the node. This uncertainty level captures the confidence associated with the assignment of the exploitability level by the assessor. If the exploitability level is believed to be accurate (e.g. very high confidence that the assigned exploitability level corresponds with the actual exploitability), then the CSA server 412 assigns an uncertainty level of 1. If no knowledge of required ability is available, then the CSA server 412 assigns an uncertainty level of 4 which indicates even odds to each of the 5 exploitability bins. In this latter case, the exploitability level is irrelevant as even odds are assumed for each level. The table below describes the 4 uncertainty levels.
- the CSA server 412 accesses a database of actions and the exploitability and uncertainty values associated with them to determines 115 the exploitability and uncertainty values for each node of each attack graph. In this embodiment, the CSA server 412 receives information about the subject system to be analyzed and automatically determines 115 the exploitability and uncertainty values for each node.
- the CSA server 412 performs 120 aggregation on the exploitability of each attack path in an attack graph. After each node in the attack graph is assigned an exploitability level and an uncertainty level, the exploitability of each attack path through the attack graph can be calculated. In the exemplary embodiment, the CSA server 412 simulates attacks within the attack graph. Each node in the graph can be considered as a filter that blocks or passes attacks based on adversary ability. Randomly-selected adversary abilities are applied to the head of each path and are then filtered in sequence by each node. Attacks that pass all the way through the attack graph are collected into bins by adversary ability to generate a distribution that represents the aggregated filtering function of the entire path.
- the filters along each path can be multiplied together in order to achieve the same result.
- the limit of the aggregate filter function at the end node is equal to the product of the filter functions for each node. This latter approach is far more computationally efficient.
- the CSA server 412 analyzes all of the attack paths against all of the potential adversaries to determine the distribution.
- the CSA server 412 accesses a database of stored attack paths to determine the distributions for those attack paths that have been analyzed previously.
- the aggregated exploitability level for a particular hazard event is based on the driving nodes in the attack graph. More specifically, the aggregated exploitability level is driven to its value by a small number of nodes (typically less than 10% of nodes). By examining the attack graph, the CSA server 412 may identify these nodes. As a rudimentary measure of this concept, the exploitability density distributions for each node in an attack graph can be summed to provide a view of the spread of exploitability in the attack graph.
- a set of prototype attacks and exploits is stored in a database for comparison.
- a table lists various attacks (e.g. insert malicious component in supply chain, infiltrate development environment, enter secured facility, etc.) along with a baseline exploitability and uncertainty value. Assumptions are also provided for the baseline exploitability and uncertainty levels. These assumptions may be used by the CSA server 412 and/or one or more users to make adjustments to the baseline exploitability and uncertainty scores as real-world applications require.
- the CSA server 412 identifies 125 the consequences of each cyber hazard event.
- consequence is captured on a semi-quantitative scale similarly to likelihood. This consequence is typically indexed to the mission of the system where a trivial consequence has no impact to the mission while the worst consequences typically are understood to be complete mission failure and/or loss of the system. These methods are highly effective in most cases and provide a basic comprehension of the distribution of consequence; however, the proportional difference between various consequences remains unknown.
- the CSA server 412 applies a set of associated consequences to each hazard event, and a most probable consequence is established.
- a consequence distribution is typically created, and the expected value of this distribution is taken to be the most likely consequence.
- adversarial attacks it is reasonable to assume that the adversary will attempt the highest cost consequence that can be expected from a given hazard event. This assumption largely removes the concept of a distribution of consequences and yields one value.
- the CSA server 412 analyzes 130 the results of the aggregation and the identified consequences. In some embodiments, the CSA server 412 analyzes 130 the exploitability score for each path as well as the cost of the consequences In some embodiments, the CSA server 412 compares the cost of the consequence to the cost of the countermeasures to determine whether to analyze the graphs with the countermeasures. The analysis may also guide the CSA server 412 in determining where and which countermeasures to use.
- the CSA server 412 applies 135 countermeasures to the cyber hazard events and returns to steps 110 through 120 .
- the CSA server 412 may apply countermeasures to reduce the overall exploitability of a cyber hazard event as required to reduce risk. These countermeasures can be added as additional nodes in the attack graphs. The overall exploitability can then be recalculated, producing a mitigated cyber hazard event exploitability.
- the CSA server 412 is configured to consider countermeasures if the assigned exploitability of the countermeasure node is less than or equal to the current minimum exploitability in all mitigated paths for the hazard event. This principle ensures that countermeasures are not added that do not actually mitigate any risk or contribute to defense-in-depth, thus saving processing resources and delivering a parsimonious set of countermeasures.
- the CSA server 412 considers countermeasures in sets. For example, one set of countermeasures could contain countermeasures that balance risk reduction, cost impacts, and schedule impacts. Another set of countermeasures could contain all countermeasures that reasonably could be applied that minimize risk. This would give the assessor (CSA server 412 or user) an opportunity to evaluate what was implemented (presumably the balanced set of countermeasures) compared to the set of all possible countermeasures. In cases where the application of additional countermeasures beyond the balanced set does not substantially reduce risk, the determination may be that additional countermeasures may be an inefficient use of resources.
- the CSA server 412 When the CSA server 412 has completed all of the analysis, the CSA server 412 generates 140 proposals for the analyzed subject systems to mitigate the cyber hazard events. These proposals may include the cost/consequences of each hazard event, the cost to mitigate (add countermeasures), the critical paths or paths of highest exploitability, and the risks with and without those countermeasures. This analysis assists the user in determining which actions are the easiest and most cost effective to mitigate.
- steps of process 100 are described as being performed by the CSA server 412 , in some embodiments, the steps may be performed by a combination of the CSA server 412 and one or more users. In some embodiments, the CSA server 412 may perform one or more steps and then provide the results of those steps to a user or subject matter expert for potential adjustment.
- this analysis process may be expressed mathematically, including a truncated normal distribution for exploitability, a plurality of normalizations to facilitate the use of the truncated normal distribution, a plurality of methods for aggregating attack paths into a single exploitability and uncertainty level for each hazard event, and a metric for the use of countermeasures.
- a truncated normal distribution may be used to describe exploitability.
- the truncated normal distribution is a normal distribution that has been truncated at some limits a and b.
- a scaling factor is applied to the truncated density function to re-normalize the integral of the probability density function to 1. If f ⁇ , ⁇ (x) provides the normal distribution probability density function (PDF) then the truncated normal distribution PDF f ⁇ , ⁇ ,a,b(x) is given by Equation 1:
- f ⁇ , ⁇ , a , b ⁇ ( x ) f ⁇ , ⁇ ⁇ ( x ) ⁇ a b ⁇ f ⁇ , ⁇ ⁇ ( x ) ⁇ dx ⁇ ⁇ for ⁇ ⁇ x ⁇ ( a , b ) , 0 ⁇ ⁇ otherwise EQ . ⁇ 1
- ⁇ is the mean
- ⁇ is the standard deviation
- a is the lower truncation
- b is the upper truncation
- Equation 2 places the center of each exploitability bin offset from the center of the adjacent exploitability bin by 0.2 and starts with exploitability 1 at 0.1.
- ⁇ is the normalized exploitability ( ⁇ [0,1])
- E is the allocated exploitability level (valid E ⁇ [0.5:5.5] but is allocated such that E ⁇ 1, 2, 3, 4, 5 ⁇ ).
- This normalization generates an aggregate exploitability for the attack path.
- This aggregate exploitability is partially a function of the length of the path in addition to the exploitability of the nodes themselves. This represents the issue that the more actions that the adversary must take, the more difficult the attack actually is.
- a standard deviation is supplied that corresponds to the definition of the level. Those standard deviations are provided below. These standard deviations only apply to the normalized exploitability (e.g. ⁇ ).
- the uncertainty of the exploitability of each node is specified on a 1 to 4 scale divided into 4 bins. Calculations may be done using the truncated normal distribution with standard deviations mapped to each uncertainty bin. Once calculations are complete, the standard deviation values are translated back to the semi-quantitative, binned domain. The following functions allow for the interpolation of values using a smooth, piecewise function.
- Equation 3 is used as a smooth, piecewise function for semi-quantitative input values U ⁇ [0, 4] that gives standard deviations values ⁇ E ⁇ [0, 100] as assigned according to the table above.
- ⁇ E 0.05 ⁇ U 2 where ⁇ ⁇ U ⁇ [ 0 , 1 ] 0.1 ⁇ U - 0.05 where ⁇ ⁇ U ⁇ [ 1 , 2 ] 0.15 ⁇ U 2 - 0.5 ⁇ U + 0.55 where ⁇ ⁇ U ⁇ [ 2 , 3 ] 99.2 ⁇ U 2 - 594.8 ⁇ U + 892 where ⁇ ⁇ U ⁇ [ 3 , 4 ] EQ ⁇ 3
- ⁇ E is the normalized exploitability standard deviation and U is the allocated exploitability uncertainty level.
- the exploitability score corresponds to an adversarial ability with even odds of completing the action corresponding to the assigned node.
- This concept further implies that the odds of completing the action should be lower for an inferior adversary and higher for a superior adversary. The spread of these odds is proportional to the uncertainty.
- this creates a filter at each node which can be passed with greater ease by increasingly superior adversaries. Mathematically, this can be expressed using the complement of the cumulative density function (e.g., the survival function S(x)) of exploitability (Equation 4):
- ⁇ is the normalized exploitability level
- ⁇ E is the corresponding standard deviation for the normalized uncertainty level as shown in the above table
- x represents normalized exploitability levels (e.g., x ⁇ [0,1]).
- Equation 5 is composed using multiplication over the set of nodes N in the path to yield an aggregated S px (x) for the path p x in an attack graph (Equation 5).
- N(p x ) is the set of nodes in the path p x .
- n ⁇ N(p x ) is the survival function of node n ⁇ N(p x ), and x represents normalized exploitability level (e.g., x ⁇ [0,1]).
- a maximum value function may be used to create an aggregated survival function for every path p x in the set of paths P associated with a particular hazard event (Equation 6).
- S p (x) is the fully aggregated survival function for the hazard event
- S px (x) is the survival function for the path px ⁇ P
- P is the set of all paths leading to the relevant hazard event.
- the countermeasure depth D(x) is defined as:
- N(P) is the set of unique nodes in the attack graph with set of paths P
- f ⁇ n , ⁇ En (x) is the PDF of the truncated normal distribution given a normalized exploitability and standard deviation for node n
- x represents normalized exploitability levels (e.g., x ⁇ [0,1]).
- FIG. 2 illustrates an exemplary attack path diagram 200 in accordance with one embodiment of the present disclosure.
- diagram 200 reflects a simplified view of the various attack paths that an adversary could take to obtain the Wi-Fi password for a wireless local area network.
- the cyber hazard event for this example is the exfiltration of a password for the router.
- each node 205 represents an action
- Node A 210 represents the cyber hazard event itself.
- Each node 205 includes an exploitability score followed by an uncertainty number (e.g., 3, 2).
- an uncertainty number e.g. 3, 2.
- the description, exploitability score and uncertainty numbers for all of the nodes 205 shown in FIG. 2 are described below in Table 4.
- each node 205 represents an action that can be taken by an adversary.
- the exploitability score represents the required adversary abilities to perform the action.
- the uncertainty level captures the confidence associated with the assignment of the exploitability score.
- the action for Node M is that malicious software may be installed on the router. This action received an exploitability score of 1, which represents a top-tier nation-state military/intelligence agency. The uncertainty level for this score is 2, which represents a 25% uncertainty level.
- FIG. 3 illustrates another exemplary attack path diagram 300 with a countermeasure in accordance with one embodiment of the present disclosure.
- diagram 300 reflects a simplified view of diagram 200 (shown in FIG. 2 ) with a countermeasure 305 (Node N) added.
- the countermeasure 305 is periodic passcode changes, therefore the associated adversarial action is preventing periodic passcode changes.
- This action is assigned the exploitability score of 1, which means it requires a top-tier nation-state military/intelligence agency.
- the exploitability score has an uncertainty value of 1, which represents 5% uncertain, which is the most certain on this scale. Accordingly, for most of the attack paths shown, periodically changing the passcode decreases the risk for that attack path being used. However, it is not shown as affecting the attack path from Node M, where malicious software is installed on router.
- FIG. 4 is a simplified block diagram of an example system 400 for assessing potential cybersecurity threats to a subject system, such as through the process shown in FIG. 1 .
- system 400 is used for assessing potential cybersecurity threats to the subject system and determining potential countermeasures to mitigate those potential cybersecurity threats.
- system 400 is a cyber-security management system that includes a cyber-security analyzing (CSA) computer device 412 (also known as a CSA server) configured to analyze for and determine countermeasures for cybersecurity threats.
- CSA cyber-security analyzing
- CSA server 412 is programmed to analyze subject systems for potential hazard events.
- the CSA server 412 is programmed to a) receive a subject system to analyze; b) determine a potential hazard event associated with the subject system; c) generate an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions; d) determine an exploitability score for each of the plurality of actions; e) determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score; f) aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system; and g) generate a response to the one or more vulnerabilities of the subject system.
- client systems 414 are computers that include a web browser or a software application, which enables client systems 414 to communicate with CSA server 412 using the Internet, a local area network (LAN), or a wide area network (WAN).
- client systems 414 are communicatively coupled to the Internet through many interfaces including, but not limited to, at least one of a network, such as the Internet, a LAN, a WAN, or an integrated services digital network (ISDN), a dial-up-connection, a digital subscriber line (DSL), a cellular phone connection, a satellite connection, and a cable modem.
- a network such as the Internet, a LAN, a WAN, or an integrated services digital network (ISDN), a dial-up-connection, a digital subscriber line (DSL), a cellular phone connection, a satellite connection, and a cable modem.
- ISDN integrated services digital network
- DSL digital subscriber line
- Client systems 414 can be any device capable of accessing a network, such as the Internet, including, but not limited to, a desktop computer, a laptop computer, a personal digital assistant (PDA), a cellular phone, a smartphone, a tablet, a phablet, or other web-based connectable equipment.
- a network such as the Internet
- PDA personal digital assistant
- a database server 416 is communicatively coupled to a database 420 that stores data.
- database 420 is a cybersecurity database that includes computer device and network configurations, cybersecurity threats, attack paths, countermeasures, and computer device models.
- database 420 is stored remotely from CSA server 412 .
- database 420 is decentralized. In the example embodiment, a person can access database 420 via client systems 414 by logging onto CSA server 412 .
- FIG. 5 illustrates an example configuration of client system 414 shown in FIG. 4 , in accordance with one embodiment of the present disclosure.
- User computer device 502 is operated by a user 501 .
- User computer device 502 may include, but is not limited to, client systems 414 (shown in FIG. 4 ).
- User computer device 502 includes a processor 505 for executing instructions.
- executable instructions are stored in a memory area 510 .
- Processor 505 may include one or more processing units (e.g., in a multi-core configuration).
- Memory area 510 is any device allowing information such as executable instructions and/or transaction data to be stored and retrieved.
- Memory area 510 may include one or more computer-readable media.
- User computer device 502 also includes at least one media output component 515 for presenting information to user 501 .
- Media output component 515 is any component capable of conveying information to user 501 .
- media output component 515 includes an output adapter (not shown) such as a video adapter and/or an audio adapter.
- An output adapter is operatively coupled to processor 505 and operatively coupleable to an output device such as a display device (e.g., a cathode ray tube (CRT), liquid crystal display (LCD), light emitting diode (LED) display, or “electronic ink” display) or an audio output device (e.g., a speaker or headphones).
- a display device e.g., a cathode ray tube (CRT), liquid crystal display (LCD), light emitting diode (LED) display, or “electronic ink” display
- an audio output device e.g., a speaker or headphones.
- media output component 515 is configured to present a graphical user interface (e.g., a web browser and/or a client application) to user 501 .
- a graphical user interface may include, for example, an interface for viewing the results of the analysis of one or more subject systems.
- user computer device 502 includes an input device 520 for receiving input from user 501 .
- User 501 may use input device 520 to, without limitation, select a computer system to view the analysis of Input device 520 may include, for example, a keyboard, a pointing device, a mouse, a stylus, a touch sensitive panel (e.g., a touch pad or a touch screen), a gyroscope, an accelerometer, a position detector, a biometric input device, and/or an audio input device.
- a single component such as a touch screen may function as both an output device of media output component 515 and input device 520 .
- User computer device 502 may also include a communication interface 525 , communicatively coupled to a remote device such as CSA server 412 (shown in FIG. 4 ).
- Communication interface 525 may include, for example, a wired or wireless network adapter and/or a wireless data transceiver for use with a mobile telecommunications network.
- Stored in memory area 510 are, for example, computer-readable instructions for providing a user interface to user 501 via media output component 515 and, optionally, receiving and processing input from input device 520 .
- a user interface may include, among other possibilities, a web browser and/or a client application. Web browsers enable users, such as user 501 , to display and interact with media and other information typically embedded on a web page or a website from CSA server 412 .
- a client application allows user 501 to interact with, for example, CSA server 412 .
- instructions may be stored by a cloud service, and the output of the execution of the instructions sent to the media output component 515 .
- Processor 505 executes computer-executable instructions for implementing aspects of the disclosure.
- the processor 505 is transformed into a special purpose microprocessor by executing computer-executable instructions or by otherwise being programmed.
- FIG. 6 illustrates an example configuration of the server system 412 shown in FIG. 4 , in accordance with one embodiment of the present disclosure.
- Server computer device 601 may include, but is not limited to, database server 416 and CSA server 412 (both shown in FIG. 4 ).
- Server computer device 601 also includes a processor 605 for executing instructions. Instructions may be stored in a memory area 610 .
- Processor 605 may include one or more processing units (e.g., in a multi-core configuration).
- Processor 605 is operatively coupled to a communication interface 615 such that server computer device 601 is capable of communicating with a remote device such as another server computer device 601 , another CSA server 412 , or client system 414 (shown in FIG. 4 ).
- a remote device such as another server computer device 601 , another CSA server 412 , or client system 414 (shown in FIG. 4 ).
- communication interface 615 may receive requests from client system 414 via the Internet, as illustrated in FIG. 4 .
- Storage device 634 is any computer-operated hardware suitable for storing and/or retrieving data, such as, but not limited to, data associated with database 420 (shown in FIG. 4 ).
- storage device 634 is integrated in server computer device 601 .
- server computer device 601 may include one or more hard disk drives as storage device 634 .
- storage device 634 is external to server computer device 601 and may be accessed by a plurality of server computer devices 601 .
- storage device 634 may include a storage area network (SAN), a network attached storage (NAS) system, and/or multiple storage units such as hard disks and/or solid state disks in a redundant array of inexpensive disks (RAID) configuration.
- SAN storage area network
- NAS network attached storage
- RAID redundant array of inexpensive disks
- processor 605 is operatively coupled to storage device 634 via a storage interface 620 .
- Storage interface 620 is any component capable of providing processor 605 with access to storage device 634 .
- Storage interface 620 may include, for example, an Advanced Technology Attachment (ATA) adapter, a Serial ATA (SATA) adapter, a Small Computer System Interface (SCSI) adapter, a RAID controller, a SAN adapter, a network adapter, and/or any component providing processor 605 with access to storage device 634 .
- ATA Advanced Technology Attachment
- SATA Serial ATA
- SCSI Small Computer System Interface
- Processor 605 executes computer-executable instructions for implementing aspects of the disclosure.
- the processor 605 is transformed into a special purpose microprocessor by executing computer-executable instructions or by otherwise being programmed.
- the processor 605 is programmed with the instruction such as illustrated in FIG. 7 .
- FIG. 7 is a flowchart illustrating an example of a process 700 of assessing potential cybersecurity threats to a subject system and determining potential countermeasures using the system 400 (shown in FIG. 4 ), in accordance with one embodiment of the disclosure.
- Process 700 may be implemented by a computing device, for example the CSA server 412 (shown in FIG. 4 ).
- the CSA server 412 receives 705 a subject system to analyze.
- the subject system may be, but it not limited to, a computer device, an Internet of Things device, or a computer network, as well as the hardware, software, and people that an adversary may compromise to access the subject system.
- the CSA server 412 may receive information about the subject system to analyze, including, but not limited to, make, model, configuration, current settings, other connected devices, and any other information necessary to properly identify the subject system.
- the CSA server 412 may look-up the subject system in a database, such as database 420 (shown in FIG. 4 ).
- the CSA server 412 determines 710 a potential hazard event associated with the subject system. In some embodiments, the CSA server 412 retrieves the potential hazard event from the database 420 . The potential hazard event may be determined 710 based on similar subject systems and previously performed analysis. While only a single potential hazard event is mentioned, in the exemplary embodiment, the CSA server 412 may determine all of the potential hazard events that may be associated with the received subject system and perform analysis described herein on each of the potential hazard events.
- the CSA server 412 generates 715 an attack graph associated with the potential hazard event.
- the attack graph includes a plurality of actions and may be similar to the attack graph shown in FIG. 2 .
- Each of the plurality of actions represents an adversarial action.
- the CSA server 412 determines 720 an exploitability score for each of the plurality of actions in the potential hazard event.
- the exploitability score represents an adversary ability level to perform the corresponding action.
- the CSA server 412 determines 725 an uncertainty level for each of the plurality of actions based on the corresponding exploitability score.
- the uncertainty level represents a confidence level associated with the determination of the exploitability score.
- the CSA server 412 retrieves the exploitability scores and uncertainty levels from previously performed analyses.
- the CSA server 412 calculates the exploitability scores and uncertainty levels based on one or more rules and historical values.
- the CSA server 412 aggregates 730 the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system. In some embodiments, the CSA server 412 performs a mathematical analysis of the exploitability scores and uncertainty levels.
- the attack graph includes a plurality of attack paths. Each attack path includes one or more actions of the plurality of actions. The CSA server 412 aggregates each of the plurality of attack paths based on the one or more actions associated with the corresponding attack path. In these embodiments, the one or more vulnerabilities are based on at least one of the plurality of attack paths.
- the CSA server 412 generates 735 a response to the one or more vulnerabilities of the subject system.
- the response is a report about the potential vulnerabilities and the risk levels associated with them and the subject system.
- the response may include potential countermeasures and the associated costs with those countermeasures.
- the CSA server 412 may determine one or more countermeasures based on the one or more vulnerabilities. These countermeasures may be determined based on information in the database 420 . The CSA server 412 applies the one or more countermeasures to the attack graph and re-performs the above analysis to determine the effectiveness of the one or more countermeasures. The CSA server 412 re-aggregates the plurality of actions based on the one or more countermeasures.
- the CSA server 412 determines a plurality of potential hazard events for the subject system.
- the CSA server 412 generates an attack graph for each of the plurality of potential hazard events.
- the CSA server 412 aggregates the plurality of actions for each of the plurality of attack graphs based on the corresponding plurality of exploitability scores and the plurality of uncertainty levels to determine one or more vulnerabilities of the subject system.
- At least one of the technical solutions to the technical problems provided by this system may include: (i) improved security systems; (ii) reduced time and cost in securing subject system; (iii) capturing considerations outside of the subject systems which influence the subject system (see above comment; (iv) identifying the most cost effective countermeasures; and (v) analyzing security of systems based on potential adversarial actions.
- the methods and system described herein may be implemented using computer programming or engineering techniques including computer software, firmware, hardware, or any combination or subset.
- at least one technical problem with prior systems is that there is a need for systems for a cost-effective and reliable manner for analyzing computer systems for potential adversarial cybersecurity threats.
- the system and methods described herein address that technical problem.
- at least one of the technical solutions to the technical problems provided by this system may include: (i) improved security systems; (ii) increased understanding of the potential attack paths against systems; (iii) determination of the effectiveness of different countermeasures in different systems; and (iv) improved time and efficiency of to perform an assessment of a system or subject system.
- the methods and systems described herein may be implemented using computer programming or engineering techniques including computer software, firmware, hardware, or any combination or subset thereof, wherein the technical effects may be achieved by performing at least one of the following steps: (a) receive a subject system to analyze; (b) determine a potential hazard event associated with the subject system; (c) generate an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions; (d) determine an exploitability score for each of the plurality of actions; (e) determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score; (f) aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system; and (g) generate a response to the one or more vulnerabilities of the subject system.
- the technical effects may also be achieved by performing at least one of the following steps: (a) receive a subject system to analyze, wherein the subject system to analyze is at least one of a computer and a computer network; (b) determine a potential hazard event associated with the subject system; (c) generate an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions, wherein the attack graph includes a plurality of attack paths, wherein each attack path includes one or more actions of the plurality of actions, wherein each of the plurality of actions are adversarial actions; (d) determine an exploitability score for each of the plurality of actions, wherein the exploitability score represents an adversary ability level to perform the corresponding actions; (e) determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score, wherein the uncertainty level represents a confidence level associated with the determination of the exploitability score; (f) aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system
- the technical effects may also be achieved by performing at least one of the following steps: (a) determine a plurality of potential hazard events for the subject system; (b) generate an attack graph for each of the plurality of potential hazard events; and (c) aggregate the plurality of actions for each of the plurality of attack graphs based on the corresponding plurality of exploitability scores and the corresponding plurality of uncertainty levels to determine one or more vulnerabilities of the subject system.
- the computer-implemented methods discussed herein may include additional, less, or alternate actions, including those discussed elsewhere herein.
- the methods may be implemented via one or more local or remote processors, transceivers, servers, and/or sensors (such as processors, transceivers, servers, and/or sensors mounted on vehicles or mobile devices, or associated with smart infrastructure or remote servers), and/or via computer-executable instructions stored on non-transitory computer-readable media or medium.
- the computer systems discussed herein may include additional, less, or alternate functionality, including that discussed elsewhere herein.
- the computer systems discussed herein may include or be implemented via computer-executable instructions stored on non-transitory computer-readable media or medium.
- non-transitory computer-readable media is intended to be representative of any tangible computer-based device implemented in any method or technology for short-term and long-term storage of information, such as, computer-readable instructions, data structures, program modules and sub-modules, or other data in any device. Therefore, the methods described herein may be encoded as executable instructions embodied in a tangible, non-transitory, computer readable medium, including, without limitation, a storage device and/or a memory device. Such instructions, when executed by a processor, cause the processor to perform at least a portion of the methods described herein.
- non-transitory computer-readable media includes all tangible, computer-readable media, including, without limitation, non-transitory computer storage devices, including, without limitation, volatile and nonvolatile media, and removable and non-removable media such as a firmware, physical and virtual storage, CD-ROMs, DVDs, and any other digital source such as a network or the Internet, as well as yet to be developed digital means, with the sole exception being a transitory, propagating signal.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
- The field of the present disclosure relates generally to assessing potential cybersecurity threats and, more specifically, to automatically assessing potential cybersecurity threats to a subject system and determining potential countermeasures.
- Methods to assess cybersecurity risk are varied and diverse but at a fundamental level, risk assessments generally consider the likelihood and consequence of a hazard event to be the primary variables in calculating risk. Cybersecurity risk assessments often make use of a semi-quantitative assessment of likelihood and consequence to derive various metrics of risk in the absence of true probabilities for likelihood or true measures of consequence. Most assessment methods define intentionally specific criteria that are used to segregate hazard events into various bins of likelihood and consequence. These methods convey an unfounded sense of certainty regarding the likelihood or consequence of hazard events and may artificially distance hazard events that in fact possess similar risk characteristics. Furthermore, the time to perform precise cybersecurity assessments is significant and requires significant amount of subject matter expertise, thereby greatly increasing their corresponding cost. By not including uncertainty as an assessment parameter, cybersecurity assessments are forced to expend significant resources to decrease uncertainty for all assessment inputs instead of the select few inputs most significantly affecting assessment results. Additionally, traditional cybersecurity risk assessment approaches often struggle to naturally represent assessment aspects related to subject systems that are not in fact part of the system (e.g. the physical security of the subject system). This limits the utility of these methods for assessing the overall security posture of a system.
- In one aspect, a cybersecurity analyzing system for assessing potential cybersecurity threats to a subject system is provided. The system includes a computing device includes at least one processor in communication with at least one memory device. The at least one processor is programmed to: receive a subject system to analyze, determine a potential hazard event associated with the subject system, generate an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions, determine an exploitability score for each of the plurality of actions, determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score, aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system, and generate a response to the one or more vulnerabilities of the subject system.
- In another embodiment, a method for assessing potential cybersecurity threats to a subject system is provided. The method is implemented on a computing device including at least one processor in communication with at least one memory device. The method includes receiving a subject system to analyze, determining a potential hazard event associated with the subject system, generating an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions, determining an exploitability score for each of the plurality of actions, determining an uncertainty level for each of the plurality of actions based on the corresponding exploitability score, aggregating the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system, and generating a response to the one or more vulnerabilities of the subject system.
- In another embodiment, a non-transitory computer-readable media having computer-executable instructions embodied thereon is provided. When executed by at least one processor coupled to a memory device, the computer-executable instructions cause the processor to receive a subject system to analyze. The subject system to analyze is at least one of a computer and a computer network. The computer-executable instructions also cause the processor to determine a potential hazard event associated with the subject system and generate an attack graph associated with the potential hazard event. The attack graph includes a plurality of actions. The computer-executable instructions further cause the processor to determine an exploitability score for each of the plurality of actions. The exploitability score represents an adversary ability level to perform the corresponding actions. In addition, the computer-executable instructions cause the processor to determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score. The uncertainty level represents a confidence level associated with the determination of the exploitability score. Moreover, the computer-executable instructions cause the processor to aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system. Furthermore, the computer-executable instructions cause the processor to determine one or more countermeasures based on the one or more vulnerabilities, apply the one or more countermeasures to the attack graph, aggregate the plurality of actions based on the one or more countermeasures, and generate a response to the one or more vulnerabilities of the subject system.
-
FIG. 1 illustrates a block diagram of a process to assess potential cybersecurity threats to a subject system and determine potential countermeasures, in accordance with one embodiment of the present disclosure -
FIG. 2 illustrates an exemplary attack path diagram in accordance with one embodiment of the present disclosure. -
FIG. 3 illustrates another exemplary attack path diagram with a countermeasure in accordance with one embodiment of the present disclosure. -
FIG. 4 is a simplified block diagram of an example system for assessing potential cybersecurity threats to a subject system, such as through the process shown inFIG. 1 . -
FIG. 5 illustrates an example configuration of a client computer device shown inFIG. 4 , in accordance with one embodiment of the present disclosure. -
FIG. 6 illustrates an example configuration of the server system shown inFIG. 4 , in accordance with one embodiment of the present disclosure. -
FIG. 7 is a flowchart illustrating an example of a process of assessing potential cybersecurity threats to a subject system and determining potential countermeasures using the system shown inFIG. 4 , in accordance with one embodiment of the disclosure. - The implementations described herein relate to systems and methods for assessing potential cybersecurity threats and, more specifically, to automatically assessing potential cybersecurity threats to a subject system and determining potential countermeasures. More specifically, a cybersecurity analyzing (“CSA”) computer device is provided for analyzing (1) one or more subject systems, such as computer systems or computer networks, for potential cyber-security threats and (2) attack path models for the subject system to determine the viability of potential attack paths and to determine potential countermeasures to reduce the viability of those potential attacks.
- Described herein are computer systems such as the CSA computer devices and related computer systems. As described herein, all such computer systems include a processor and a memory. However, any processor in a computer device referred to herein may also refer to one or more processors wherein the processor may be in one computing device or a plurality of computing devices acting in parallel. Additionally, any memory in a computer device referred to herein may also refer to one or more memories wherein the memories may be in one computing device or a plurality of computing devices acting in parallel.
- As used herein, the term “cybersecurity threat” includes an unauthorized attempt to gain access to a subject system. Cybersecurity threats, also known as cyber-attacks or cyber-threats, attempt to breach computer systems by taking advantage of vulnerabilities in the computer systems. Some cybersecurity threats include attempts to damage or disrupt a subject system. These cybersecurity threats may include, but are not limited to, active intrusions, spyware, malware, viruses, and worms. Cybersecurity threats may take many paths (also known as attack paths) to breach a system. These paths may include operating system attacks, misconfiguration attacks, application level attacks, and shrink wrap code attacks. Cybersecurity threats may be introduced by individuals or systems directly accessing a computing device, remotely via a communications network or connected system, or through an associated supply chain.
- As used herein, a processor may include any programmable system including systems using micro-controllers, reduced instruction set circuits (RISC), application-specific integrated circuits (ASICs), logic circuits, and any other circuit or processor capable of executing the functions described herein. The above examples are example only, and are thus not intended to limit in any way the definition and/or meaning of the term “processor.”
- As used herein, the term “database” may refer to either a body of data, a relational database management system (RDBMS), or to both. As used herein, a database may include any collection of data including hierarchical databases, relational databases, flat file databases, object-relational databases, object oriented databases, and any other structured collection of records or data that is stored in a computer system. The above examples are example only, and thus are not intended to limit in any way the definition and/or meaning of the term database. Examples of RDBMS' include, but are not limited to including, Oracle® Database, MySQL, IBM® DB2, Microsoft® SQL Server, Sybase®, and PostgreSQL. However, any database may be used that enables the systems and methods described herein. (Oracle is a registered trademark of Oracle Corporation, Redwood Shores, Calif.; IBM is a registered trademark of International Business Machines Corporation, Armonk, New York; Microsoft is a registered trademark of Microsoft Corporation, Redmond, Wash.; and Sybase is a registered trademark of Sybase, Dublin, Calif.)
- In one embodiment, a computer program is provided, and the program is embodied on a computer-readable medium. In an example embodiment, the system is executed on a single computer system, without requiring a connection to a server computer. In a further embodiment, the system is being run in a Windows® environment (Windows is a registered trademark of Microsoft Corporation, Redmond, Wash.). In yet another embodiment, the system is run on a mainframe environment and a UNIX® server environment (UNIX is a registered trademark of X/Open Company Limited located in Reading, Berkshire, United Kingdom). The application is flexible and designed to run in various different environments without compromising any major functionality. In some embodiments, the system includes multiple components distributed among a plurality of computing devices. One or more components may be in the form of computer-executable instructions embodied in a computer-readable medium.
- As used herein, an element or step recited in the singular and proceeded with the word “a” or “an” should be understood as not excluding plural elements or steps, unless such exclusion is explicitly recited. Furthermore, references to “example embodiment” or “one embodiment” of the present disclosure are not intended to be interpreted as excluding the existence of additional embodiments that also incorporate the recited features.
- As used herein, the terms “software” and “firmware” are interchangeable, and include any computer program stored in memory for execution by a processor, including RAM memory, ROM memory, EPROM memory, EEPROM memory, and non-volatile RAM (NVRAM) memory. The above memory types are example only, and are thus not limiting as to the types of memory usable for storage of a computer program.
- Furthermore, as used herein, the term “real-time” refers to at least one of the time of occurrence of the associated events, the time of measurement and collection of predetermined data, the time to process the data, and the time of a system response to the events and the environment. In the embodiments described herein, these activities and events occur substantially instantaneously.
- The systems and processes are not limited to the specific embodiments described herein. In addition, components of each system and each process can be practiced independent and separate from other components and processes described herein. Each component and process also can be used in combination with other assembly packages and processes.
-
FIG. 1 illustrates a block diagram of aprocess 100 to assess potential cybersecurity threats to a subject system and determine potential countermeasures, in accordance with one embodiment of the present disclosure. In the exemplary embodiment,process 100 is performed by one or more computer devices, such as cybersecurity analyzing (CSA)server 412 shown inFIG. 4 . - In the exemplary embodiment, the
CSA server 412 identifies 105 cyber hazard events. For the purposes of this discussion, cyber hazard events refer to an event that is caused by an adversary, which has the potential to cause damage, such as the exfiltration of a password, infection of a specific device, or loss of access to or data from a specific device or network. Cyber hazard events may include, but are not limited to, cybersecurity threats. Cyber hazard events may include both anomalous cyber events (e.g., events resulting from user error or random system failures) and adversarial events (e.g., events initiated by an adversary intending to cause negative effects). In the exemplary embodiment, hazard events are the results of a series of actions, including adversarial actions. These adversarial actions may in fact be hazard events themselves or simply other actions that set up the hazard event. Hazard events are then the ultimate outcomes that have a negative cyber effect. In some embodiments, the cyber hazard event is provided to theCSA server 412 by a subject matter expert or other user. In other embodiments, theCSA server 412 receives a list of cyber hazard events to analyze. In still other embodiments, theCSA server 412 receives a subject system and identifies 105 which cyber hazard events to analyze with that subject system. - For the purposes of this discussion, a subject system is a secure system. This may include a computer device or a computer network, but it also includes the individuals associated with the system, the location of the system, and any other physical objects or software that provide access to the system. For example, a subject system may include a computer network. In this case, the subject system would also include the users with access to the computer network, access to where the hardware of the computer network is stored, access to where the users work, the supply chain that provides the hardware of the subject system, and any other hardware or software that an adversary may use to access the subject system. Furthermore, the subject system may also be supply chains, server rooms or closets, paper filing systems, and/or any other system than needs to be secure from adversarial actions.
- The
CSA server 412 creates 110 attack graphs based on the subject system to be analyzed and the cyber hazard events. By considering a sequence of adversarial actions as nodes along a simple path, an attack path is created. An attack path is a “recipe” for an adversary to affect a cyber hazard event. Any given hazard event may have several associated attack paths. TheCSA server 412 organizes these attack paths by combining paths with common nodes to create 110 an attack graph structure for each hazard event. In the exemplary embodiment, the resulting attack graphs are directed, acyclic graphs, which have defined entry points (leaf nodes) and a terminal point (root node corresponding with a hazard event). For a given attack graph, the sequences of adversarial events leading to the occurrence of the hazard event are found by enumerating each path originating at each leaf node and terminating at the root node—the hazard event. TheCSA server 412 attempts to include all reasonable paths to prevent underestimation. In the exemplary embodiment, theCSA server 412 excludes attack paths that are not possible using existing technology or requires improbable events to occur. - In at least one embodiment, the
CSA server 412 accesses a database of potential adversarial actions and historical attack paths to create 110 the attack graphs. In this embodiment, theCSA server 412 receives information about the subject system to be analyzed and automatically creates 110 the attack paths and the attack graphs for that subject system. - For the purposes of this discussion, the term likelihood in this context refers to the probability that a hazard event occurs. At a high level, the likelihood of a cybersecurity hazard event is a function of the following (not necessarily independent) factors: 1) Adversary intent: An adversary must choose which targets to exploit as time and resources generally prevent the exploitation of all targets; 2) Adversary ability: A given adversary generally cannot exploit any given target, where a top-tier nation state actor is typically assumed to pose the preeminent cybersecurity threat; and 3) System security/access: Systems may be isolated and protected by numerous countermeasures, and while some systems are trivial to penetrate, others are nearly impossible. Although likelihood can be thought of as a function of three factors, this assessment only considers the properties of the system. Properties of the adversary are difficult to ascertain and are often known only after an adversary has exploited a system. Therefore, only the properties of the system are generally considered.
- To differentiate the metric used herein from the broader concept of likelihood, the term “exploitability” is used. This exploitability level is intended to express a threshold adversarial ability required to elicit a hazard event. A system that is more exploitable is assumed to be more easily attacked by a less capable adversary. Conversely, systems that are less exploitable can generally only be successfully attacked by a more capable adversary. In this interpretation, exploitability in the presence of some assumed adversary capabilities can be seen as the foundation of evaluating how secure a system is against attacks in general, irrespective of adversarial intent.
- The
CSA server 412 determines 115 exploitability and uncertainty values for each node of each attack graph. In the exemplary embodiment, the system uses a 1 to 5 integer scale to rate exploitability. Exploitability corresponds to the required adversary abilities to perform an action. Each node in the attack graph corresponds with a step in an attack. Therefore, theCSA server 412 rates each node with an exploitability score. The exploitability score is an assessment of the required adversarial ability to perform the action and continue down a path in the attack graph toward a cyber hazard event. The following table describes the correspondence between each exploitability level of and the required adversarial ability class. -
TABLE 1 Level Description of adversarial ability required to exploit node 1 Top-tier nation-state military/intelligence agency with human intelligence 2 Lower-tier nation-state agency, organized crime groups, large professional hacker collectives 3 Small groups of professional hackers/criminals 4 Professional hacker working alone or mostly alone 5 Individual with basic technical skills equivalent to an engineering bachelor's degree - For the purposes of the model, it is assumed that the adversary corresponding to the assigned exploitability level will successfully defeat the node 50% of the time exploitation is attempted. For example, if a node is assigned an exploitability level of 3, this means that a small group of professional hackers/criminals working together will successfully complete the corresponding action 50% of the time the action is attempted. This fact is a statistical artifact and does not necessarily aid in the assignment of exploitability levels to nodes. For the purposes of this discussion, exploitability is considered a threshold of possible exploitability not a threshold of certain exploitability.
- In addition to an exploitability level for each node, the
CSA server 412 assigns an uncertainty level to the node. This uncertainty level captures the confidence associated with the assignment of the exploitability level by the assessor. If the exploitability level is believed to be accurate (e.g. very high confidence that the assigned exploitability level corresponds with the actual exploitability), then theCSA server 412 assigns an uncertainty level of 1. If no knowledge of required ability is available, then theCSA server 412 assigns an uncertainty level of 4 which indicates even odds to each of the 5 exploitability bins. In this latter case, the exploitability level is irrelevant as even odds are assumed for each level. The table below describes the 4 uncertainty levels. -
TABLE 2 Level Description of uncertainty level Statistical description 1 The exploitability level of the 5% uncertain assigned action/attack is known with a high degree of certainty 2 Various factors could adjust the 50% uncertain exploitability level +/− one level, but the actual level is generally expected to take on the assigned level 3 The assigned exploitability level 75% uncertain represents a very approximate value 4 It is unknown what the Unknown, even exploitability level ought to be. odds for each exploitability level - In at least one embodiment, the
CSA server 412 accesses a database of actions and the exploitability and uncertainty values associated with them to determines 115 the exploitability and uncertainty values for each node of each attack graph. In this embodiment, theCSA server 412 receives information about the subject system to be analyzed and automatically determines 115 the exploitability and uncertainty values for each node. - The
CSA server 412 performs 120 aggregation on the exploitability of each attack path in an attack graph. After each node in the attack graph is assigned an exploitability level and an uncertainty level, the exploitability of each attack path through the attack graph can be calculated. In the exemplary embodiment, theCSA server 412 simulates attacks within the attack graph. Each node in the graph can be considered as a filter that blocks or passes attacks based on adversary ability. Randomly-selected adversary abilities are applied to the head of each path and are then filtered in sequence by each node. Attacks that pass all the way through the attack graph are collected into bins by adversary ability to generate a distribution that represents the aggregated filtering function of the entire path. - In some embodiments, the filters along each path can be multiplied together in order to achieve the same result. As the number of simulation trials approaches infinity, the limit of the aggregate filter function at the end node is equal to the product of the filter functions for each node. This latter approach is far more computationally efficient. Once all of the paths for a given hazard event are aggregated into a set of filter distributions, the maximum is taken across all of these aggregated path distributions. This maximum of the path distributions is the distribution at the node corresponding with the hazard event. From this maximum distribution, the aggregated exploitability and uncertainty levels can be calculated for the hazard event node.
- Effectively, the
CSA server 412 analyzes all of the attack paths against all of the potential adversaries to determine the distribution. In some embodiments, theCSA server 412 accesses a database of stored attack paths to determine the distributions for those attack paths that have been analyzed previously. - The aggregated exploitability level for a particular hazard event is based on the driving nodes in the attack graph. More specifically, the aggregated exploitability level is driven to its value by a small number of nodes (typically less than 10% of nodes). By examining the attack graph, the
CSA server 412 may identify these nodes. As a rudimentary measure of this concept, the exploitability density distributions for each node in an attack graph can be summed to provide a view of the spread of exploitability in the attack graph. - In some embodiments, a set of prototype attacks and exploits is stored in a database for comparison. For example, a table lists various attacks (e.g. insert malicious component in supply chain, infiltrate development environment, enter secured facility, etc.) along with a baseline exploitability and uncertainty value. Assumptions are also provided for the baseline exploitability and uncertainty levels. These assumptions may be used by the
CSA server 412 and/or one or more users to make adjustments to the baseline exploitability and uncertainty scores as real-world applications require. - The
CSA server 412 identifies 125 the consequences of each cyber hazard event. In most cyber risk assessment methodologies, consequence is captured on a semi-quantitative scale similarly to likelihood. This consequence is typically indexed to the mission of the system where a trivial consequence has no impact to the mission while the worst consequences typically are understood to be complete mission failure and/or loss of the system. These methods are highly effective in most cases and provide a basic comprehension of the distribution of consequence; however, the proportional difference between various consequences remains unknown. - To improve upon this paradigm, the systems and methods described herein use financial data to estimate a dollarized consequence for hazard events. These dollarized consequences can, in contrast to semi-quantitative consequences, show the proportional difference between different consequences. While in some situations, the cost data may be difficult to ascertain, collecting dollarized figures for commercial or development programs is achievable and should be done.
- Once dollarized consequence data is known, the
CSA server 412 applies a set of associated consequences to each hazard event, and a most probable consequence is established. In some industries, a consequence distribution is typically created, and the expected value of this distribution is taken to be the most likely consequence. When adversarial attacks are considered, however, it is reasonable to assume that the adversary will attempt the highest cost consequence that can be expected from a given hazard event. This assumption largely removes the concept of a distribution of consequences and yields one value. - The
CSA server 412 analyzes 130 the results of the aggregation and the identified consequences. In some embodiments, theCSA server 412 analyzes 130 the exploitability score for each path as well as the cost of the consequences In some embodiments, theCSA server 412 compares the cost of the consequence to the cost of the countermeasures to determine whether to analyze the graphs with the countermeasures. The analysis may also guide theCSA server 412 in determining where and which countermeasures to use. - The
CSA server 412 applies 135 countermeasures to the cyber hazard events and returns tosteps 110 through 120. Once a baseline attack graph is constructed and the baseline exploitability, uncertainty, and consequences are calculated, theCSA server 412 may apply countermeasures to reduce the overall exploitability of a cyber hazard event as required to reduce risk. These countermeasures can be added as additional nodes in the attack graphs. The overall exploitability can then be recalculated, producing a mitigated cyber hazard event exploitability. TheCSA server 412 is configured to consider countermeasures if the assigned exploitability of the countermeasure node is less than or equal to the current minimum exploitability in all mitigated paths for the hazard event. This principle ensures that countermeasures are not added that do not actually mitigate any risk or contribute to defense-in-depth, thus saving processing resources and delivering a parsimonious set of countermeasures. - In some embodiments, the
CSA server 412 considers countermeasures in sets. For example, one set of countermeasures could contain countermeasures that balance risk reduction, cost impacts, and schedule impacts. Another set of countermeasures could contain all countermeasures that reasonably could be applied that minimize risk. This would give the assessor (CSA server 412 or user) an opportunity to evaluate what was implemented (presumably the balanced set of countermeasures) compared to the set of all possible countermeasures. In cases where the application of additional countermeasures beyond the balanced set does not substantially reduce risk, the determination may be that additional countermeasures may be an inefficient use of resources. - When the
CSA server 412 has completed all of the analysis, theCSA server 412 generates 140 proposals for the analyzed subject systems to mitigate the cyber hazard events. These proposals may include the cost/consequences of each hazard event, the cost to mitigate (add countermeasures), the critical paths or paths of highest exploitability, and the risks with and without those countermeasures. This analysis assists the user in determining which actions are the easiest and most cost effective to mitigate. - While the above steps of
process 100 are described as being performed by theCSA server 412, in some embodiments, the steps may be performed by a combination of theCSA server 412 and one or more users. In some embodiments, theCSA server 412 may perform one or more steps and then provide the results of those steps to a user or subject matter expert for potential adjustment. - In at least one embodiment, this analysis process may be expressed mathematically, including a truncated normal distribution for exploitability, a plurality of normalizations to facilitate the use of the truncated normal distribution, a plurality of methods for aggregating attack paths into a single exploitability and uncertainty level for each hazard event, and a metric for the use of countermeasures.
- A truncated normal distribution may be used to describe exploitability. The truncated normal distribution is a normal distribution that has been truncated at some limits a and b. A scaling factor is applied to the truncated density function to re-normalize the integral of the probability density function to 1. If fμ,σ(x) provides the normal distribution probability density function (PDF) then the truncated normal distribution PDF fμ,σ,a,b(x) is given by Equation 1:
-
- where μ is the mean, σ is the standard deviation, a is the lower truncation, and b is the upper truncation.
- The previously described 1 to 5 scale is used to quantify exploitability. Since exploitability can be considered similar to probability, it is normalized to a 0 to 1 scale for further calculations. This normalization also naturally implements the desired property of stability in attack graph calculations using “normal” operations on real numbers. Equation 2 places the center of each exploitability bin offset from the center of the adjacent exploitability bin by 0.2 and starts with exploitability 1 at 0.1.
-
- where Ê is the normalized exploitability (Ê∈[0,1]), E is the allocated exploitability level (valid E∈[0.5:5.5] but is allocated such that E∈{1, 2, 3, 4, 5}). This normalization generates an aggregate exploitability for the attack path. This aggregate exploitability is partially a function of the length of the path in addition to the exploitability of the nodes themselves. This represents the issue that the more actions that the adversary must take, the more difficult the attack actually is.
- For each uncertainty level, a standard deviation is supplied that corresponds to the definition of the level. Those standard deviations are provided below. These standard deviations only apply to the normalized exploitability (e.g. Ê).
-
TABLE 3 Level (U) Standard Deviation (σE) 1 0.05 2 0.15 3 0.4 4 100 - The standard deviation for the case of Level 4 (a uniform distribution) would customarily be considered infinite (e.g., σE=∞) but an approximation is used in this case, which is accurate to several decimal places.
- The uncertainty of the exploitability of each node is specified on a 1 to 4 scale divided into 4 bins. Calculations may be done using the truncated normal distribution with standard deviations mapped to each uncertainty bin. Once calculations are complete, the standard deviation values are translated back to the semi-quantitative, binned domain. The following functions allow for the interpolation of values using a smooth, piecewise function.
- Equation 3 is used as a smooth, piecewise function for semi-quantitative input values U∈[0, 4] that gives standard deviations values σE∈[0, 100] as assigned according to the table above.
-
- where σE is the normalized exploitability standard deviation and U is the allocated exploitability uncertainty level.
- As described above, the exploitability score corresponds to an adversarial ability with even odds of completing the action corresponding to the assigned node. This concept further implies that the odds of completing the action should be lower for an inferior adversary and higher for a superior adversary. The spread of these odds is proportional to the uncertainty. Conceptually, this creates a filter at each node which can be passed with greater ease by increasingly superior adversaries. Mathematically, this can be expressed using the complement of the cumulative density function (e.g., the survival function S(x)) of exploitability (Equation 4):
-
- where FÊ,σ
E (x) is the cumulative density function for the truncated normal distribution (assume a=0 and b=1), Ê is the normalized exploitability level, σE is the corresponding standard deviation for the normalized uncertainty level as shown in the above table, and x represents normalized exploitability levels (e.g., x∈[0,1]). - To aggregate exploitability along a path, the survival function for each node
-
- (x) is composed using multiplication over the set of nodes N in the path to yield an aggregated Spx(x) for the path px in an attack graph (Equation 5).
-
- where N(px) is the set of nodes in the path px,
-
- is the survival function of node n∈N(px), and x represents normalized exploitability level (e.g., x∈[0,1]).
- This can be used to aggregate the distributions for a given hazard event. A maximum value function may be used to create an aggregated survival function for every path px in the set of paths P associated with a particular hazard event (Equation 6).
-
- where Sp(x) is the fully aggregated survival function for the hazard event, Spx(x) is the survival function for the path px∈P, and P is the set of all paths leading to the relevant hazard event.
- Once SP(x) is known for a hazard event, an aggregated mean and an uncertainty can be calculated. These values will be on the normalized scale (e.g. Ê∈[0, 1] and σE∈[0, 100]) and will require conversion back to the semi-quantitative domain (e.g. E∈[0.5:5.5] and U∈[0, 4] respectively).
- To add in the countermeasures, the countermeasure depth D(x) is defined as:
-
D(x)=Σn∈N(P) f Ên ,σEn (x) EQ. 7 - where N(P) is the set of unique nodes in the attack graph with set of paths P, fÊ
n ,σEn (x) is the PDF of the truncated normal distribution given a normalized exploitability and standard deviation for node n, and x represents normalized exploitability levels (e.g., x∈[0,1]). -
FIG. 2 illustrates an exemplary attack path diagram 200 in accordance with one embodiment of the present disclosure. In the exemplary embodiment, diagram 200 reflects a simplified view of the various attack paths that an adversary could take to obtain the Wi-Fi password for a wireless local area network. Accordingly, the cyber hazard event for this example is the exfiltration of a password for the router. In the diagram 200, eachnode 205 represents an action, whileNode A 210 represents the cyber hazard event itself. - Each
node 205 includes an exploitability score followed by an uncertainty number (e.g., 3, 2). The description, exploitability score and uncertainty numbers for all of thenodes 205 shown inFIG. 2 are described below in Table 4. -
TABLE 4 Exploitation Uncertainty Label Node Description Score Value A Passcode Exfiltrated 5 0 B Encrypted Traffic 3 2 Obtained C Password written 4 1 down by network owner D Network owner 2 2 compromising data identified E Passcode requested 4 1 of network owner F Facility where 1 2 passcode resides infiltrated G Blackmail data 5 1 presented to network owner H Passcode Brute 2 1 force attacked I Network owner 3 3 divulges passcode J Passcode copy 5 1 obtained K Contact established 5 2 with network owner L Trust of network 2 2 owner obtained M Malicious software 1 2 installed on router - As shown in
FIG. 2 , eachnode 205 represents an action that can be taken by an adversary. The exploitability score represents the required adversary abilities to perform the action. The uncertainty level captures the confidence associated with the assignment of the exploitability score. For example, the action for Node M is that malicious software may be installed on the router. This action received an exploitability score of 1, which represents a top-tier nation-state military/intelligence agency. The uncertainty level for this score is 2, which represents a 25% uncertainty level. -
FIG. 3 illustrates another exemplary attack path diagram 300 with a countermeasure in accordance with one embodiment of the present disclosure. In the exemplary embodiment, diagram 300 reflects a simplified view of diagram 200 (shown inFIG. 2 ) with a countermeasure 305 (Node N) added. Thecountermeasure 305 is periodic passcode changes, therefore the associated adversarial action is preventing periodic passcode changes. This action is assigned the exploitability score of 1, which means it requires a top-tier nation-state military/intelligence agency. The exploitability score has an uncertainty value of 1, which represents 5% uncertain, which is the most certain on this scale. Accordingly, for most of the attack paths shown, periodically changing the passcode decreases the risk for that attack path being used. However, it is not shown as affecting the attack path from Node M, where malicious software is installed on router. -
FIG. 4 is a simplified block diagram of anexample system 400 for assessing potential cybersecurity threats to a subject system, such as through the process shown inFIG. 1 . In the example embodiment,system 400 is used for assessing potential cybersecurity threats to the subject system and determining potential countermeasures to mitigate those potential cybersecurity threats. In addition,system 400 is a cyber-security management system that includes a cyber-security analyzing (CSA) computer device 412 (also known as a CSA server) configured to analyze for and determine countermeasures for cybersecurity threats. - As described below in more detail,
CSA server 412 is programmed to analyze subject systems for potential hazard events. TheCSA server 412 is programmed to a) receive a subject system to analyze; b) determine a potential hazard event associated with the subject system; c) generate an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions; d) determine an exploitability score for each of the plurality of actions; e) determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score; f) aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system; and g) generate a response to the one or more vulnerabilities of the subject system. - In the example embodiment,
client systems 414 are computers that include a web browser or a software application, which enablesclient systems 414 to communicate withCSA server 412 using the Internet, a local area network (LAN), or a wide area network (WAN). In some embodiments,client systems 414 are communicatively coupled to the Internet through many interfaces including, but not limited to, at least one of a network, such as the Internet, a LAN, a WAN, or an integrated services digital network (ISDN), a dial-up-connection, a digital subscriber line (DSL), a cellular phone connection, a satellite connection, and a cable modem.Client systems 414 can be any device capable of accessing a network, such as the Internet, including, but not limited to, a desktop computer, a laptop computer, a personal digital assistant (PDA), a cellular phone, a smartphone, a tablet, a phablet, or other web-based connectable equipment. - A
database server 416 is communicatively coupled to adatabase 420 that stores data. In one embodiment,database 420 is a cybersecurity database that includes computer device and network configurations, cybersecurity threats, attack paths, countermeasures, and computer device models. In some embodiments,database 420 is stored remotely fromCSA server 412. In some embodiments,database 420 is decentralized. In the example embodiment, a person can accessdatabase 420 viaclient systems 414 by logging ontoCSA server 412. -
FIG. 5 illustrates an example configuration ofclient system 414 shown inFIG. 4 , in accordance with one embodiment of the present disclosure.User computer device 502 is operated by auser 501.User computer device 502 may include, but is not limited to, client systems 414 (shown inFIG. 4 ).User computer device 502 includes aprocessor 505 for executing instructions. In some embodiments, executable instructions are stored in amemory area 510.Processor 505 may include one or more processing units (e.g., in a multi-core configuration).Memory area 510 is any device allowing information such as executable instructions and/or transaction data to be stored and retrieved.Memory area 510 may include one or more computer-readable media. -
User computer device 502 also includes at least onemedia output component 515 for presenting information touser 501.Media output component 515 is any component capable of conveying information touser 501. In some embodiments,media output component 515 includes an output adapter (not shown) such as a video adapter and/or an audio adapter. An output adapter is operatively coupled toprocessor 505 and operatively coupleable to an output device such as a display device (e.g., a cathode ray tube (CRT), liquid crystal display (LCD), light emitting diode (LED) display, or “electronic ink” display) or an audio output device (e.g., a speaker or headphones). In some embodiments,media output component 515 is configured to present a graphical user interface (e.g., a web browser and/or a client application) touser 501. A graphical user interface may include, for example, an interface for viewing the results of the analysis of one or more subject systems. In some embodiments,user computer device 502 includes aninput device 520 for receiving input fromuser 501.User 501 may useinput device 520 to, without limitation, select a computer system to view the analysis ofInput device 520 may include, for example, a keyboard, a pointing device, a mouse, a stylus, a touch sensitive panel (e.g., a touch pad or a touch screen), a gyroscope, an accelerometer, a position detector, a biometric input device, and/or an audio input device. A single component such as a touch screen may function as both an output device ofmedia output component 515 andinput device 520. -
User computer device 502 may also include acommunication interface 525, communicatively coupled to a remote device such as CSA server 412 (shown inFIG. 4 ).Communication interface 525 may include, for example, a wired or wireless network adapter and/or a wireless data transceiver for use with a mobile telecommunications network. - Stored in
memory area 510 are, for example, computer-readable instructions for providing a user interface touser 501 viamedia output component 515 and, optionally, receiving and processing input frominput device 520. A user interface may include, among other possibilities, a web browser and/or a client application. Web browsers enable users, such asuser 501, to display and interact with media and other information typically embedded on a web page or a website fromCSA server 412. A client application allowsuser 501 to interact with, for example,CSA server 412. For example, instructions may be stored by a cloud service, and the output of the execution of the instructions sent to themedia output component 515. -
Processor 505 executes computer-executable instructions for implementing aspects of the disclosure. In some embodiments, theprocessor 505 is transformed into a special purpose microprocessor by executing computer-executable instructions or by otherwise being programmed. -
FIG. 6 illustrates an example configuration of theserver system 412 shown inFIG. 4 , in accordance with one embodiment of the present disclosure.Server computer device 601 may include, but is not limited to,database server 416 and CSA server 412 (both shown inFIG. 4 ).Server computer device 601 also includes aprocessor 605 for executing instructions. Instructions may be stored in amemory area 610.Processor 605 may include one or more processing units (e.g., in a multi-core configuration). -
Processor 605 is operatively coupled to acommunication interface 615 such thatserver computer device 601 is capable of communicating with a remote device such as anotherserver computer device 601, anotherCSA server 412, or client system 414 (shown inFIG. 4 ). For example,communication interface 615 may receive requests fromclient system 414 via the Internet, as illustrated inFIG. 4 . -
Processor 605 may also be operatively coupled to astorage device 634.Storage device 634 is any computer-operated hardware suitable for storing and/or retrieving data, such as, but not limited to, data associated with database 420 (shown inFIG. 4 ). In some embodiments,storage device 634 is integrated inserver computer device 601. For example,server computer device 601 may include one or more hard disk drives asstorage device 634. In other embodiments,storage device 634 is external toserver computer device 601 and may be accessed by a plurality ofserver computer devices 601. For example,storage device 634 may include a storage area network (SAN), a network attached storage (NAS) system, and/or multiple storage units such as hard disks and/or solid state disks in a redundant array of inexpensive disks (RAID) configuration. - In some embodiments,
processor 605 is operatively coupled tostorage device 634 via astorage interface 620.Storage interface 620 is any component capable of providingprocessor 605 with access tostorage device 634.Storage interface 620 may include, for example, an Advanced Technology Attachment (ATA) adapter, a Serial ATA (SATA) adapter, a Small Computer System Interface (SCSI) adapter, a RAID controller, a SAN adapter, a network adapter, and/or anycomponent providing processor 605 with access tostorage device 634. -
Processor 605 executes computer-executable instructions for implementing aspects of the disclosure. In some embodiments, theprocessor 605 is transformed into a special purpose microprocessor by executing computer-executable instructions or by otherwise being programmed. For example, theprocessor 605 is programmed with the instruction such as illustrated inFIG. 7 . -
FIG. 7 is a flowchart illustrating an example of aprocess 700 of assessing potential cybersecurity threats to a subject system and determining potential countermeasures using the system 400 (shown inFIG. 4 ), in accordance with one embodiment of the disclosure.Process 700 may be implemented by a computing device, for example the CSA server 412 (shown inFIG. 4 ). - In the exemplary embodiment, the
CSA server 412 receives 705 a subject system to analyze. The subject system may be, but it not limited to, a computer device, an Internet of Things device, or a computer network, as well as the hardware, software, and people that an adversary may compromise to access the subject system. In the exemplary embodiment, theCSA server 412 may receive information about the subject system to analyze, including, but not limited to, make, model, configuration, current settings, other connected devices, and any other information necessary to properly identify the subject system. In some embodiments, theCSA server 412 may look-up the subject system in a database, such as database 420 (shown inFIG. 4 ). - In the exemplary embodiment, the
CSA server 412 determines 710 a potential hazard event associated with the subject system. In some embodiments, theCSA server 412 retrieves the potential hazard event from thedatabase 420. The potential hazard event may be determined 710 based on similar subject systems and previously performed analysis. While only a single potential hazard event is mentioned, in the exemplary embodiment, theCSA server 412 may determine all of the potential hazard events that may be associated with the received subject system and perform analysis described herein on each of the potential hazard events. - In the exemplary embodiment, the
CSA server 412 generates 715 an attack graph associated with the potential hazard event. The attack graph includes a plurality of actions and may be similar to the attack graph shown inFIG. 2 . Each of the plurality of actions represents an adversarial action. - In the exemplary embodiment, the
CSA server 412 determines 720 an exploitability score for each of the plurality of actions in the potential hazard event. The exploitability score represents an adversary ability level to perform the corresponding action. TheCSA server 412 determines 725 an uncertainty level for each of the plurality of actions based on the corresponding exploitability score. The uncertainty level represents a confidence level associated with the determination of the exploitability score. In some embodiments, theCSA server 412 retrieves the exploitability scores and uncertainty levels from previously performed analyses. In other embodiments, theCSA server 412 calculates the exploitability scores and uncertainty levels based on one or more rules and historical values. - In the exemplary embodiment, the
CSA server 412aggregates 730 the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system. In some embodiments, theCSA server 412 performs a mathematical analysis of the exploitability scores and uncertainty levels. In some embodiments, the attack graph includes a plurality of attack paths. Each attack path includes one or more actions of the plurality of actions. TheCSA server 412 aggregates each of the plurality of attack paths based on the one or more actions associated with the corresponding attack path. In these embodiments, the one or more vulnerabilities are based on at least one of the plurality of attack paths. - In the exemplary embodiment, the
CSA server 412 generates 735 a response to the one or more vulnerabilities of the subject system. In some embodiments, the response is a report about the potential vulnerabilities and the risk levels associated with them and the subject system. In other embodiments, the response may include potential countermeasures and the associated costs with those countermeasures. - In some embodiments, the
CSA server 412 may determine one or more countermeasures based on the one or more vulnerabilities. These countermeasures may be determined based on information in thedatabase 420. TheCSA server 412 applies the one or more countermeasures to the attack graph and re-performs the above analysis to determine the effectiveness of the one or more countermeasures. TheCSA server 412 re-aggregates the plurality of actions based on the one or more countermeasures. - In some embodiments, the
CSA server 412 determines a plurality of potential hazard events for the subject system. TheCSA server 412 generates an attack graph for each of the plurality of potential hazard events. Then theCSA server 412 aggregates the plurality of actions for each of the plurality of attack graphs based on the corresponding plurality of exploitability scores and the plurality of uncertainty levels to determine one or more vulnerabilities of the subject system. - At least one of the technical solutions to the technical problems provided by this system may include: (i) improved security systems; (ii) reduced time and cost in securing subject system; (iii) capturing considerations outside of the subject systems which influence the subject system (see above comment; (iv) identifying the most cost effective countermeasures; and (v) analyzing security of systems based on potential adversarial actions.
- The methods and system described herein may be implemented using computer programming or engineering techniques including computer software, firmware, hardware, or any combination or subset. As disclosed above, at least one technical problem with prior systems is that there is a need for systems for a cost-effective and reliable manner for analyzing computer systems for potential adversarial cybersecurity threats. The system and methods described herein address that technical problem. Additionally, at least one of the technical solutions to the technical problems provided by this system may include: (i) improved security systems; (ii) increased understanding of the potential attack paths against systems; (iii) determination of the effectiveness of different countermeasures in different systems; and (iv) improved time and efficiency of to perform an assessment of a system or subject system.
- The methods and systems described herein may be implemented using computer programming or engineering techniques including computer software, firmware, hardware, or any combination or subset thereof, wherein the technical effects may be achieved by performing at least one of the following steps: (a) receive a subject system to analyze; (b) determine a potential hazard event associated with the subject system; (c) generate an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions; (d) determine an exploitability score for each of the plurality of actions; (e) determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score; (f) aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system; and (g) generate a response to the one or more vulnerabilities of the subject system.
- The technical effects may also be achieved by performing at least one of the following steps: (a) receive a subject system to analyze, wherein the subject system to analyze is at least one of a computer and a computer network; (b) determine a potential hazard event associated with the subject system; (c) generate an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions, wherein the attack graph includes a plurality of attack paths, wherein each attack path includes one or more actions of the plurality of actions, wherein each of the plurality of actions are adversarial actions; (d) determine an exploitability score for each of the plurality of actions, wherein the exploitability score represents an adversary ability level to perform the corresponding actions; (e) determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score, wherein the uncertainty level represents a confidence level associated with the determination of the exploitability score; (f) aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system; (g) aggregate each of the plurality of attack paths based on the one or more actions associated with the corresponding attack path; (h) determine one or more countermeasures based on the one or more vulnerabilities; (i) apply the one or more countermeasures to the attack graph; (j) aggregate the plurality of actions based on the one or more countermeasures; and (k) generate a response to the one or more vulnerabilities of the subject system, wherein the one or more vulnerabilities are based on at least one of the plurality of attack paths
- In addition, the technical effects may also be achieved by performing at least one of the following steps: (a) determine a plurality of potential hazard events for the subject system; (b) generate an attack graph for each of the plurality of potential hazard events; and (c) aggregate the plurality of actions for each of the plurality of attack graphs based on the corresponding plurality of exploitability scores and the corresponding plurality of uncertainty levels to determine one or more vulnerabilities of the subject system.
- The computer-implemented methods discussed herein may include additional, less, or alternate actions, including those discussed elsewhere herein. The methods may be implemented via one or more local or remote processors, transceivers, servers, and/or sensors (such as processors, transceivers, servers, and/or sensors mounted on vehicles or mobile devices, or associated with smart infrastructure or remote servers), and/or via computer-executable instructions stored on non-transitory computer-readable media or medium. Additionally, the computer systems discussed herein may include additional, less, or alternate functionality, including that discussed elsewhere herein. The computer systems discussed herein may include or be implemented via computer-executable instructions stored on non-transitory computer-readable media or medium.
- As used herein, the term “non-transitory computer-readable media” is intended to be representative of any tangible computer-based device implemented in any method or technology for short-term and long-term storage of information, such as, computer-readable instructions, data structures, program modules and sub-modules, or other data in any device. Therefore, the methods described herein may be encoded as executable instructions embodied in a tangible, non-transitory, computer readable medium, including, without limitation, a storage device and/or a memory device. Such instructions, when executed by a processor, cause the processor to perform at least a portion of the methods described herein. Moreover, as used herein, the term “non-transitory computer-readable media” includes all tangible, computer-readable media, including, without limitation, non-transitory computer storage devices, including, without limitation, volatile and nonvolatile media, and removable and non-removable media such as a firmware, physical and virtual storage, CD-ROMs, DVDs, and any other digital source such as a network or the Internet, as well as yet to be developed digital means, with the sole exception being a transitory, propagating signal.
- This written description uses examples to disclose various implementations, including the best mode, and also to enable any person skilled in the art to practice the various implementations, including making and using any devices or systems and performing any incorporated methods. The patentable scope of the disclosure is defined by the claims, and may include other examples that occur to those skilled in the art. Such other examples are intended to be within the scope of the claims if they have structural elements that do not differ from the literal language of the claims, or if they include equivalent structural elements with insubstantial differences from the literal language of the claims.
Claims (20)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/596,298 US11201893B2 (en) | 2019-10-08 | 2019-10-08 | Systems and methods for performing cybersecurity risk assessments |
CN202011037940.XA CN112637115A (en) | 2019-10-08 | 2020-09-28 | System and method for performing cyber-security risk assessment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/596,298 US11201893B2 (en) | 2019-10-08 | 2019-10-08 | Systems and methods for performing cybersecurity risk assessments |
Publications (2)
Publication Number | Publication Date |
---|---|
US20210105294A1 true US20210105294A1 (en) | 2021-04-08 |
US11201893B2 US11201893B2 (en) | 2021-12-14 |
Family
ID=75273657
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/596,298 Active 2040-04-23 US11201893B2 (en) | 2019-10-08 | 2019-10-08 | Systems and methods for performing cybersecurity risk assessments |
Country Status (2)
Country | Link |
---|---|
US (1) | US11201893B2 (en) |
CN (1) | CN112637115A (en) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210336958A1 (en) * | 2020-04-23 | 2021-10-28 | Bank Of America Corporation | System for automated electronic data exfiltration path identification, prioritization, and remediation |
US11165815B2 (en) * | 2019-10-28 | 2021-11-02 | Capital One Services, Llc | Systems and methods for cyber security alert triage |
US20220131894A1 (en) * | 2020-10-26 | 2022-04-28 | Accenture Global Solutions Limited | Process risk calculation based on hardness of attack paths |
US20220263850A1 (en) * | 2021-02-16 | 2022-08-18 | Icf International | Distributed network-level probabilistic attack graph generation |
US11695795B2 (en) | 2019-07-12 | 2023-07-04 | Accenture Global Solutions Limited | Evaluating effectiveness of security controls in enterprise networks using graph values |
US20230269266A1 (en) * | 2020-04-10 | 2023-08-24 | AttackIQ, Inc. | System and method for emulating a multi-stage attack on a node within a target network |
US11750657B2 (en) | 2020-02-28 | 2023-09-05 | Accenture Global Solutions Limited | Cyber digital twin simulator for security controls requirements |
US11757921B2 (en) | 2018-12-03 | 2023-09-12 | Accenture Global Solutions Limited | Leveraging attack graphs of agile security platform |
US11811816B2 (en) | 2018-12-03 | 2023-11-07 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
US11822702B2 (en) | 2018-12-03 | 2023-11-21 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
US11838307B2 (en) | 2020-07-09 | 2023-12-05 | Accenture Global Solutions Limited | Resource-efficient generation of analytical attack graphs |
US11838310B2 (en) | 2018-12-03 | 2023-12-05 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
US11876824B2 (en) | 2020-06-25 | 2024-01-16 | Accenture Global Solutions Limited | Extracting process aware analytical attack graphs through logical network analysis |
US11880250B2 (en) | 2021-07-21 | 2024-01-23 | Accenture Global Solutions Limited | Optimizing energy consumption of production lines using intelligent digital twins |
US11895150B2 (en) | 2021-07-28 | 2024-02-06 | Accenture Global Solutions Limited | Discovering cyber-attack process model based on analytical attack graphs |
US11973790B2 (en) | 2020-11-10 | 2024-04-30 | Accenture Global Solutions Limited | Cyber digital twin simulator for automotive security assessment based on attack graphs |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11863578B1 (en) * | 2019-10-15 | 2024-01-02 | The United States Of America, As Represented By The Secretary Of The Navy | Cyber vulnerability assessment tool threat assessment heuristie |
US11985157B2 (en) * | 2020-01-24 | 2024-05-14 | The Aerospace Corporation | Interactive interfaces and data structures representing physical and/or visual information using smart pins |
US11853418B2 (en) * | 2021-09-01 | 2023-12-26 | Rockwell Collins, Inc. | System and method for neural network based detection of cyber intrusion via mode-specific system templates |
CN116647416B (en) * | 2023-07-27 | 2023-11-07 | 深圳大学 | Network security index recommendation method, device, equipment and storage medium |
Family Cites Families (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6952779B1 (en) * | 2002-10-01 | 2005-10-04 | Gideon Cohen | System and method for risk detection and analysis in a computer network |
US20050246307A1 (en) | 2004-03-26 | 2005-11-03 | Datamat Systems Research, Inc. | Computerized modeling method and a computer program product employing a hybrid Bayesian decision tree for classification |
US9912677B2 (en) * | 2005-09-06 | 2018-03-06 | Daniel Chien | Evaluating a questionable network communication |
US8438643B2 (en) * | 2005-09-22 | 2013-05-07 | Alcatel Lucent | Information system service-level security risk analysis |
US7530105B2 (en) * | 2006-03-21 | 2009-05-05 | 21St Century Technologies, Inc. | Tactical and strategic attack detection and prediction |
US7573866B2 (en) | 2006-08-30 | 2009-08-11 | Mitsubishi Electric Research Laboratories, Inc. | Method for finding optimal paths using a stochastic network model |
US8392997B2 (en) * | 2007-03-12 | 2013-03-05 | University Of Southern California | Value-adaptive security threat modeling and vulnerability ranking |
US9985978B2 (en) * | 2008-05-07 | 2018-05-29 | Lookingglass Cyber Solutions | Method and system for misuse detection |
US9379895B2 (en) * | 2008-07-24 | 2016-06-28 | Zscaler, Inc. | HTTP authentication and authorization management |
JP2011118776A (en) | 2009-12-04 | 2011-06-16 | Sony Corp | Data processing apparatus, data processing method, and program |
US9602523B2 (en) * | 2012-06-07 | 2017-03-21 | Proofpoint, Inc. | Dashboards for displaying threat insight information |
US9426169B2 (en) * | 2012-02-29 | 2016-08-23 | Cytegic Ltd. | System and method for cyber attacks analysis and decision support |
US9225737B2 (en) * | 2013-03-15 | 2015-12-29 | Shape Security, Inc. | Detecting the introduction of alien content |
US10425429B2 (en) * | 2013-04-10 | 2019-09-24 | Gabriel Bassett | System and method for cyber security analysis and human behavior prediction |
US9367809B2 (en) * | 2013-10-11 | 2016-06-14 | Accenture Global Services Limited | Contextual graph matching based anomaly detection |
US9386034B2 (en) * | 2013-12-17 | 2016-07-05 | Hoplite Industries, Inc. | Behavioral model based malware protection system and method |
US9596264B2 (en) * | 2014-02-18 | 2017-03-14 | Proofpoint, Inc. | Targeted attack protection using predictive sandboxing |
US10289838B2 (en) * | 2014-02-21 | 2019-05-14 | Entit Software Llc | Scoring for threat observables |
US20150242745A1 (en) | 2014-02-21 | 2015-08-27 | Qualcomm Incorporated | Event-based inference and learning for stochastic spiking bayesian networks |
US9886581B2 (en) * | 2014-02-25 | 2018-02-06 | Accenture Global Solutions Limited | Automated intelligence graph construction and countermeasure deployment |
US9794279B2 (en) * | 2014-06-11 | 2017-10-17 | Accenture Global Services Limited | Threat indicator analytics system |
US9749339B2 (en) | 2015-02-24 | 2017-08-29 | Raytheon Company | Proactive emerging threat detection |
US10686828B2 (en) * | 2015-04-17 | 2020-06-16 | Soltra Solutions, Llc | Computerized system and method for securely distributing and exchanging cyber-threat information in a standardized format |
US9892261B2 (en) * | 2015-04-28 | 2018-02-13 | Fireeye, Inc. | Computer imposed countermeasures driven by malware lineage |
US9977905B2 (en) * | 2015-10-06 | 2018-05-22 | Assured Enterprises, Inc. | Method and system for identification of security vulnerabilities |
US10270788B2 (en) | 2016-06-06 | 2019-04-23 | Netskope, Inc. | Machine learning based anomaly detection |
US10084661B2 (en) | 2017-01-26 | 2018-09-25 | Macau University Of Science And Technology | Method for evaluating performance of a data communication network |
US20180262525A1 (en) | 2017-03-09 | 2018-09-13 | General Electric Company | Multi-modal, multi-disciplinary feature discovery to detect cyber threats in electric power grid |
US10242202B1 (en) | 2017-09-15 | 2019-03-26 | Respond Software, Inc. | Apparatus and method for staged graph processing to produce a risk inference measure |
-
2019
- 2019-10-08 US US16/596,298 patent/US11201893B2/en active Active
-
2020
- 2020-09-28 CN CN202011037940.XA patent/CN112637115A/en active Pending
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11757921B2 (en) | 2018-12-03 | 2023-09-12 | Accenture Global Solutions Limited | Leveraging attack graphs of agile security platform |
US11907407B2 (en) | 2018-12-03 | 2024-02-20 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
US11838310B2 (en) | 2018-12-03 | 2023-12-05 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
US11822702B2 (en) | 2018-12-03 | 2023-11-21 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
US11811816B2 (en) | 2018-12-03 | 2023-11-07 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
US11695795B2 (en) | 2019-07-12 | 2023-07-04 | Accenture Global Solutions Limited | Evaluating effectiveness of security controls in enterprise networks using graph values |
US11165815B2 (en) * | 2019-10-28 | 2021-11-02 | Capital One Services, Llc | Systems and methods for cyber security alert triage |
US11785040B2 (en) | 2019-10-28 | 2023-10-10 | Capital One Services, Llc | Systems and methods for cyber security alert triage |
US11750657B2 (en) | 2020-02-28 | 2023-09-05 | Accenture Global Solutions Limited | Cyber digital twin simulator for security controls requirements |
US20230269266A1 (en) * | 2020-04-10 | 2023-08-24 | AttackIQ, Inc. | System and method for emulating a multi-stage attack on a node within a target network |
US20210336958A1 (en) * | 2020-04-23 | 2021-10-28 | Bank Of America Corporation | System for automated electronic data exfiltration path identification, prioritization, and remediation |
US11451550B2 (en) * | 2020-04-23 | 2022-09-20 | Bank Of America Corporation | System for automated electronic data exfiltration path identification, prioritization, and remediation |
US11876824B2 (en) | 2020-06-25 | 2024-01-16 | Accenture Global Solutions Limited | Extracting process aware analytical attack graphs through logical network analysis |
US11838307B2 (en) | 2020-07-09 | 2023-12-05 | Accenture Global Solutions Limited | Resource-efficient generation of analytical attack graphs |
US11831675B2 (en) * | 2020-10-26 | 2023-11-28 | Accenture Global Solutions Limited | Process risk calculation based on hardness of attack paths |
US20220131894A1 (en) * | 2020-10-26 | 2022-04-28 | Accenture Global Solutions Limited | Process risk calculation based on hardness of attack paths |
US11973790B2 (en) | 2020-11-10 | 2024-04-30 | Accenture Global Solutions Limited | Cyber digital twin simulator for automotive security assessment based on attack graphs |
US11765195B2 (en) * | 2021-02-16 | 2023-09-19 | Icf International | Distributed network-level probabilistic attack graph generation |
US20220263850A1 (en) * | 2021-02-16 | 2022-08-18 | Icf International | Distributed network-level probabilistic attack graph generation |
US11880250B2 (en) | 2021-07-21 | 2024-01-23 | Accenture Global Solutions Limited | Optimizing energy consumption of production lines using intelligent digital twins |
US11895150B2 (en) | 2021-07-28 | 2024-02-06 | Accenture Global Solutions Limited | Discovering cyber-attack process model based on analytical attack graphs |
Also Published As
Publication number | Publication date |
---|---|
CN112637115A (en) | 2021-04-09 |
US11201893B2 (en) | 2021-12-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11201893B2 (en) | Systems and methods for performing cybersecurity risk assessments | |
US11310254B2 (en) | Network anomaly detection | |
US20220263856A1 (en) | System and method for electronic risk analysis and remediation using network monitored sensors and actionable feedback methodologies for operational resilience | |
US20200358804A1 (en) | User and entity behavioral analysis with network topology enhancements | |
US11323484B2 (en) | Privilege assurance of enterprise computer network environments | |
US9544321B2 (en) | Anomaly detection using adaptive behavioral profiles | |
JP6863969B2 (en) | Detecting security incidents with unreliable security events | |
US10887335B2 (en) | Aggregation of risk scores across ad-hoc entity populations | |
EP3195560B1 (en) | Lateral movement detection | |
US20180191763A1 (en) | System and method for determining network security threats | |
US20220060497A1 (en) | User and entity behavioral analysis with network topology enhancements | |
US11457024B2 (en) | Systems and methods for monitoring security of an organization based on a normalized risk score | |
US10791136B2 (en) | System and method for empirical organizational cybersecurity risk assessment using externally-visible data | |
US11756404B2 (en) | Adaptive severity functions for alerts | |
US20220377111A1 (en) | Scoring confidence in user compliance with an organization's security policies | |
US9325733B1 (en) | Unsupervised aggregation of security rules | |
US20220078203A1 (en) | Systems and methods for vulnerability-based cyber threat risk analysis and transfer | |
US10511606B2 (en) | Method of discovering and modeling actor and asset relationships across a cloud ecosystem | |
GB2599568A (en) | Systems and methods for calculating aggregation risk and systemic risk across a population of organizations | |
US10977374B1 (en) | Method to assess internal security posture of a computing system using external variables | |
CN110750795B (en) | Information security risk processing method and device | |
US10388040B2 (en) | Modeling actor and asset relationships | |
US11997140B2 (en) | Ordering security incidents using alert diversity | |
US20220224721A1 (en) | Ordering security incidents using alert diversity | |
JP2024521121A (en) | Confidence scoring of user compliance with organizational security policies |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: THE BOEING COMPANY, ILLINOIS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KRUSE, DAVID THOMAS;STEFFES, BENJAMIN JOSEPH;MACKEY, NATHAN;AND OTHERS;SIGNING DATES FROM 20190814 TO 20191007;REEL/FRAME:050656/0879 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |